Free Cloudflare Tool Helps CAs Securely Issue Certificates

Internet performance and security firm Cloudflare on Tuesday announced the availability of a free API designed to help certificate authorities (CAs) securly issue certificates by ensuring that malicious actors cannot complete the domain control validation process via BGP hijacking and DNS spoofing attacks.

When an entity requests a certificate for their website, they are required to complete a domain control validation (DCV) process that proves their are the legitimate owner of the domain. This process can involve creating a specific DNS resource record, uploading a document to the server linked to the domain, or prove ownership of the domain’s administrative email account.

However, a team of researchers demonstrated recently that CAs can be “bamboozled” with Border Gateway Protocol (BGP) attacks. They successfully reproduced their attack methods against Let’s Encrypt, Comodo, Symantec, GoDaddy and GlobalSign.

Threat actors can also fraudulently complete the verification process using DNS spoofing attacks.

BGP hijacking and DNS spoofing allow hackers to reroute the requests sent by the CA during the validation process to a domain they control instead of the legitimate domain.

Once an attacker has obtained a bogus certificate for the targeted domain, they can pose as the victim and intercept encrypted traffic. The misissued certificate can be detected by CAs using Certificate Transparency logs, but it can take many hours for the rogue certificates to be added to these logs and for web browser to take action.

Cloudflare’s new tool aims to proactively address the risk of certificates issued through fraudulent DCV by using the company’s vast network to perform the DCV process from multiple locations around the world.

“Given that Cloudflare runs 175+ datacenters around the world, we are in a unique position to perform DCV from multiple vantage points. Each datacenter has a unique path to DNS nameservers or HTTP endpoints, which means that successful hijacking of a BGP route can only affect a subset of DCV requests, further hampering BGP hijacks. And since we use RPKI, we actually sign and verify BGP routes,” Cloudflare said in a blog post.

“This DCV checker additionally protects CAs against off-path, DNS spoofing attacks. An additional feature that we built into the service that helps protect against off-path attackers is DNS query source IP randomization. By making the source IP unpredictable to the attacker, it becomes more challenging to spoof the second fragment of the forged DNS response to the DCV validation agent,” the company added.

CAs interested in using Cloudflare’s multipath DCV checker have been instructed to send an email to dcv(at)cloudflare.com.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.